That like trying to eat the cake and have it too. We dropped the body-hash parameter because it doesn't work. There are too many complications in getting an interop solution across platforms and body types. There are ASCII, UTF8, binary, etc. bodies and they will all produce different hash value based on at what level the client hashes them. In addition, the HTTP layer can do many things to the data including encoding. On top of that, you have HTTP headers that change the meaning of the payload.
We've tried it and could not come up with any reasonable solution. As someone who have and wants to implement this, I understand the need for it, but at this point within the limitations of HTTP, this belongs as a vendor specific extension until more real-world experience is gained. EHL > -----Original Message----- > From: Peter Wolanin [mailto:peter.wola...@acquia.com] > Sent: Thursday, November 24, 2011 5:03 AM > To: Eran Hammer-Lahav > Cc: OAuth WG > Subject: Re: [OAUTH-WG] MAC: body-hash > > I'd lobby for something more than just prose, since for me, including the > body or body hash in the HMAC is a pretty essential piece of security for any > real implementation. I understand that you think it should not be 100% > required by all servers, and hence should not be a specified field, but then I > think it should be something like a "standard" extension. > > For example, retain some of the existing text describing the bodyhash as > using the same algorithm as the HMAC and show an example like: > > ext="bodyhash:k9kbtCIy0CkI3/FEfpS/oIDjk6k=" > > Are there any other specific things you see as common examples of ext > values? Is there a suggested system for indicating or separating multiple ext > values? > > It seems to me without a standardized way to include the body hash in the > ext field, you immediately invite more diversity in implementations. It would > also seem by putting it in the ext field, any client could include the hash > even > if the server doesn't require it? > > Best, > > Peter > > On Thu, Nov 24, 2011 at 12:21 AM, Eran Hammer-Lahav > <e...@hueniverse.com> wrote: > > In prose, sure. But I'd rather not go further than that. > > > > EHL > > > >> -----Original Message----- > >> From: Peter Wolanin [mailto:peter.wola...@acquia.com] > >> Sent: Wednesday, November 23, 2011 11:53 AM > >> To: Eran Hammer-Lahav > >> Cc: OAuth WG > >> Subject: Re: [OAUTH-WG] MAC: body-hash > >> > >> As long as a specific service can make an ext containing the body > >> hash required, I think this is fine. Can the spec include body hash > >> as an example of an ext? > >> > >> Thanks, > >> > >> Peter > >> > >> On Sat, Nov 19, 2011 at 10:39 AM, Eran Hammer-Lahav > >> <e...@hueniverse.com> wrote: > >> > I want to reaffirm our previous consensus to drop the body-hash > >> > parameter and leave the ext parameter. Body-hash as currently > >> > specified is going to cause significant interop issues due to > >> > character (and other) encoding issues. Providers who desire to MAC > >> > the body can define their own ext use case. > >> > > >> > > >> > > >> > Let me know if you have an objection to this change. > >> > > >> > > >> > > >> > EHL > >> > > >> > > >> > _______________________________________________ > >> > OAuth mailing list > >> > OAuth@ietf.org > >> > https://www.ietf.org/mailman/listinfo/oauth > >> > > >> > >> > >> > >> -- > >> Peter M. Wolanin, Ph.D. : Momentum Specialist, Acquia. Inc. > >> peter.wola...@acquia.com : 781-313-8322 > >> > >> "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com"; > > > > -- > Peter M. Wolanin, Ph.D. : Momentum Specialist, Acquia. Inc. > peter.wola...@acquia.com : 781-313-8322 > > "Get a free, hosted Drupal 7 site: http://www.drupalgardens.com"; _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
